Pentest Toolbox Additions 2018

I’m a red teamer. I do work similar to pentesting and use many of the same tools. This year, I’ve added several tools to my toolbox. I’ll introduce them to you below and hope you find them valuable, as well.

I <heart> password spraying attacks where you guess a few common passwords against a large list of users. Why? Because it works! I used to get a little bummed when I would come up against a web application like Office365 where the login is a multi-step process. Such web apps required extra time to create a script to do the password spraying. In this case, DoubleTap is your best friend.

DoubleTap is a password spraying tool that can be quickly configured to password spray any web portal no matter the number of steps it takes. You simply tell it the name of the username and password fields where it should substitute in your values and the names of the buttons to “push” after entering the data. It comes with a module already set up and ready to go for spraying Office365, and you can easily add your own modules. Check it out here.

How do you build a list of usernames for use in your password spraying script? GatherContacts is a Burp Suite Extension that pulls employee names from Google and Bing search results. The searches specifically pulled names from LinkedIn for the company name you specify. Follow the link for tips and tricks for massaging this list into various user name formats.

Of course, if you are a password spraying addict, you will no doubt run into a situation where your IP address gets blocked from accessing the target server. In last year’s Toolbox Additions post, I discussed ProxyCannon as a solution for rotating your source IP address during a password spray to avoid detection. DoxyCannon is an alternative to ProxyCannon with some advantages.

DoxyCannon does not use Amazon cloud hosts. Instead, it spins up local virtual machines via Docker that route your traffic out several nodes of your chosen VPN provider. It is always nice to have options, and this is a nice alternative to avoid the Amazon cloud. DoxyCannon instructions and code can be found on GitHub here.

The hacker known as “Alex” discovered a neat trick for dumping a user’s cookies from Chrome from the command line. This is great for use through a Command & Control (C2) session. The output can then be copy and pasted into another browser to hijack all of the original user’s sessions. You do not need to know the victim’s password to dump the cookies.

The original Python implementation of the tool can be found here, and a cross-platform JavaScript version of the tool can be found here.

Use the EvilGinx server as a Man-in-the-Middle Proxy when phishing. You send the phish to your victim, enticing them to click on the link to your EvilGinx server. EvilGinx will pass the request along to the real server you are trying to mimic, such as a Facebook login, all the while spying upon all the information exchanged. EvilGinx will then report to you the credentials intercepted. Check out the nice video walk through here.

Slack is full of sensitive data. As a red teamer, it is advantageous to download all the messages, files and user profiles from your victim. This provides you with persistent, long-term access to the information. SlackExtract is a PowerShell script that will do this for you. The script code is also useful for blue teamers who want to find out what kind of sensitive information their users are posting to Slack.

Find the code and a nice walk-through here. A video walkthrough including ideas on how to detect this script in use can be viewed here.

About the Author:Carrie Roberts is a member of the Walmart Red Team performing Adversary Simulation. You can find her on Twitter at @OrOneEqualsOne. Opinions are her own and may not be in line with that of her employer.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.